Back to all policies

Privacy Policy – Resilio Ltd. (Internal)

Last Updated: March 6, 2026
Status: Compliant with Swiss nFADP & EU GDPR
Entity: Resilio Ltd, Lausanne, Switzerland EU Representative: Resilio France, Bordeaux, France

Introduction

Resilio Ltd. (“we,” “us,” or “our”), a Swiss limited company incorporated in Ecublens (Vaud), Switzerland, under number CHE-256.900.000, and spin-off from EPFL, provides digital environmental footprint assessment solutions. We are committed to protecting the privacy of our employees and candidates. This policy outlines how we process internal personal data in compliance with the Swiss Federal Act on Data Protection (nFADP) and the General Data Protection Regulation (GDPR) where applicable.

Data Controller

The entity responsible for your personal data is:

Resilio Ltd. EPFL Innovation Park 1015 Lausanne, Switzerland

Email: privacy@resilio-solutions.com

CISO: Maximilien Valenzano, our DPO

Internal Data Processing (Employees & Candidates)

In accordance with Art. 328b of the Swiss Code of Obligations and Art. 88 of GDPR, we process employee data only to the extent necessary for the employment contract or to assess job suitability.

Categories of Employee Data

  • Recruitment: First and last names, Email, phone number, job position, CVs, cover letters, diplomas, and interview notes.
  • Administration: Contracts, social security numbers, bank details (payroll), and tax-related info. As necessary, employment or residency permit.
  • Performance: Annual reviews, feedback, and training certifications.
  • IT Logs: Metadata from the use of company tools (internal apps, Email, Resilio platforms, server logs) for security and maintenance.
  • Communication: Email, First and last name, Destinataires, messages.

Monitoring and Surveillance

  • No Behavioral Monitoring: We do not use technical systems for the sole purpose of monitoring employee behavior, in accordance with Art. 328b cited above.
  • Security Logs: IT monitoring (e.g., log files) is used strictly for security, performance optimization, or evidence in cases of suspected serious misconduct.

Tools and Applications

We use multiple third-party tools internally for our employees' communications and collaborative work. Below is the data processed for each app:

Zulip

Zulip Privacy Policy User Data: First and Last name, email, Date of Birth, online status, content of conversations (messages and files), profile picture. Technical Data: IP address, device type, browser info, error reports.

Nextcloud

Nextcloud Privacy Policy User Data: First and Last name, email, Date of Birth, read/write access to files, time schedule / calendar of employees, content of documents, content modification history, saved internal work passwords, meetings time and participants, contacts. Technical Data: IP address, device types, browser info, cookies (session).

Dolibarr

Dolibarr Privacy Policy User Data: First and Last name, email, Date of Birth, Gender, address (road, number, ZIP, country, State), Telephone number, Social security numbers, Job position, Workplace (address), Salary, employment duration, hours worked per week, leaves (sick, marriage, ...). Technical Data: IP addresses, device info, browser info.

Legal Basis for Processing

We process data based on the following legal pillars:

  • Contractual Necessity: To fulfill employment contracts.
  • Legal Obligation: To comply with applicable labor, tax, and social security laws.
  • Legitimate Interests: To ensure the security of our infrastructure, prevent serious misconduct, and improve our organization.
  • Consent: Where explicitly provided (e.g., "talent pool" CV retention).

Data Storage and Retention

  • Localization: We prioritize data storage on secure servers in the EEA (DGTZ) for Internal Data Processing. Our providers are individually certified to be compliant with GDPR and/or nFADP, and we ensure appropriate processing through subcontracting agreements.
  • Retention (Employees): Personnel files are kept for the duration of employment plus 10 years post-termination for legal/tax/social security reasons.
  • Retention (Candidates): CVs of rejected candidates are deleted within 6 months unless explicit consent is given to remain in our talent pool.
  • Retention (Logs): Logs are automatically deleted after 1 year.

Your Rights

Under the nFADP and GDPR, you have the following rights regarding your data:

  • Right to Access: Request a copy of the data we hold about you.
  • Right to Rectification: Correct inaccurate or incomplete data.
  • Right to Erasure: Request deletion (provided there is no legal retention duty).
  • Right to Portability: Receive your data in a structured, machine-readable format.
  • Right to Objection

Please contact privacy@resilio-solutions.com to exercise the above rights.

Data Security

We implement "Privacy by Design" and "Privacy by Default" principles, including:

  • Encryption: SSL/TLS encryption for data in transit and at rest.
  • Access Control: Strict "need-to-know" access for employees.
  • Audits: Regular security reviews of our infrastructure, comprising of internal and external security audits.
  • Security Training: Our employees follow regular security trainings regarding general security topics, including but not limited to incident response plans.
  • Breach Reporting: We report breaches as soon as we identify what data has been leaked, right after an internal preliminary investigation of the incident.

Resilio's Information System Management System is ISO 27 001 certified, recognizing our effort in IT security. Resilio Ltd. provide services to its affiliate companies (R&K Assess Sarl [CH], and Resilio France SASU [FR]).

Updates

We may update this policy to reflect changes in our internal procedures or Swiss/EU law. Significant changes will be communicated via our internal channels.